In the past few days, the Information Commissioner's Office has announced its intention to fine British Airways a whopping £183.39 million for breaches of data protection laws. The breach is thought to have started in June 2018 and to have affected about 500,000 visitors to the BA website who had details like their payment card information, travel booking data and log-in details compromised.
Contrast this to the announcement just 24 hours later that the ICO intend to fine Marriott International £99.2 million for a data breach that is thought to have affected about 339 million guests (including 7 million in the UK).
BA's fine has hit headlines for being the largest since the new data protection laws came into force across the EU in May 2018. Under the GDPR, regulators can now issue fines of up to £17 million (€20 million) or 4% of global turnover. This new record was preceded by Google which was fined €50 million by the French regulator (CNIL) in January 2019. In the UK, the previous record-breaking fine was much lower and held in part by Facebook which was fined £500,000 (the maximum under old data protection laws).
Interesting, it's reported that the British Airways fine amounts to only 1.5% of its global turnover in 2017 – some way off the 4% threat. Perhaps even more interestingly is that this is a regulator's fine alone; under the GDPR individuals now have the power to bring private action if they have been affected by a breach of data protection laws.
This may not be the only financial penalty BA suffers.
The announcements this week serve as a reminder of a few things:
- The power now wielded by data protection regulators across the EU is fierce and only just being felt. Until now, most data breaches were investigated under the old law and so whilst this is record-breaking today, it may not be tomorrow.
- It isn't just the likes of Facebook and Google that risk finding themselves in the record books. Neither BA nor the Marriott International are organisations known for trading in personal data or for doing anything particularly controversial with the personal data held. These fines go to show that all organisations can find themselves vulnerable to hackers and all organisations are therefore vulnerable to these fines.
- Full details of the BA cyber-attack aren't yet known except that (in the words of the ICO) data "was compromised by poor security arrangements". The importance of ensuring that technology also keeps up with new data protection laws cannot be underestimated. Putting policies in place is great, but it's only one step towards data protection compliance which goes to the heart of an organisation.
I doubt that these are the dizzying heights Alex Cruz (BA's CEO) or IAG (BA's owner) thought they would be soaring this summer.